Polylog
The Polylog Crypto Intelligence Brief

Morning Edition · Sunday, July 12, 2026Published at 1:29 AM EDT · New York

Oracle Flaw Drains $9 Million From Hedera's Largest Lender, With $5.25 Million Bridged to Ethereum

The attacker pledged 250 SAUCE tokens worth a few dollars, submitted a price inflated by about twelve orders of magnitude, and borrowed millions after a Supra verifier accepted a signature that resolved to zero.

Oracle Flaw Drains $9 Million From Hedera's Largest Lender, With $5.25 Million Bridged to Ethereum

Bonzo Lend, the largest decentralized lender on the Hedera network, lost approximately 9.05 million dollars after an attacker exploited a verification flaw in a third-party Supra oracle contract, CoinDesk reported. The mechanism was price manipulation. The attacker deposited 250 SAUCE tokens, worth only a few dollars, then submitted a manipulated price update that inflated the token's value by roughly twelve orders of magnitude. Against that fictitious collateral they borrowed about 6.6 million dollars in USD Coin (USDC) and 34.5 million Wrapped HBAR.

The root cause was cryptographic, not economic. Bonzo said the Supra verifier approved the malicious submission because both the signature point and the referenced committee public key resolved to zero, so the signature check returned a valid result on an input that should have failed. Supra has acknowledged the issue and deployed a fix to the verifier contract on Hedera mainnet. Hedera's total value locked fell by nearly 40 percent in 24 hours and Bonzo's by 77 percent, and the attacker bridged more than 5.25 million dollars to Ethereum, which complicates recovery.

The incident is one of a steady series of smaller thefts catalogued by Rekt News, whose recent list includes losses at BonkDAO, Summer Finance, SecondFi, Secret Network, and an Aztec bridge. The common pattern across the larger events is not a new class of exploit but the repeated failure to validate a single trusted input, the price feed, before funds move.

What this means

Oracle and verifier logic remains the highest-impact attack surface in lending markets, because a single accepted bad price converts a few dollars of collateral into millions in loans, and the exposed parties are depositors and the bridges that carry stolen funds onward. The channel is contagion through composability. When the manipulated value is borrowed and then bridged, losses concentrated at one protocol propagate into whichever chain receives the assets, here Ethereum, where freezing is harder.

What to watch

  • Whether Supra or Bonzo can attribute or freeze the bridged funds, which determines if any of the 9 million dollars is recoverable.
  • How many other lenders depend on the same Supra verifier design, since the zero-signature acceptance flaw could recur wherever that check is reused.

Observations to monitor, not financial advice.

2 sources

Synthesized from: CoinDesk · Rekt News

Part of a tracked trend

Bridge and Mint Exploits Sustain Heavy DeFi Losses

Over 3-6 months, recurring bridge proof-validation and unauthorized-mint exploits keep monthly DeFi losses elevated, including drains of deprecated contracts.